1425478a96cf67a4805323afa3987ea4e7424dad16e7c3c32d03da96fa049919

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

70.0MB
MD5

d3ded6f6292b7b3b538776a0ca8f33b2
SHA1

de88a415456610f30bf171880d6c5cbbb3ca3240
SHA256

1425478a96cf67a4805323afa3987ea4e7424dad16e7c3c32d03da96fa049919
SHA512

bb3ebb0e8c694501f49bcf2c4feaa86bac1dd1570e227e8abe74538f969eb45d93ccfb9529b99d4eeb47c2ef25548bac6756662ca639c1c42295a60204309764
SSDEEP

24576:ATLKgMF5jTObaIvsD7sBM8I7oRCL7piz5nWXVW:Tv5rIf1RRGwn4Q

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
4708	Jokes.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3716	tasklist.exe
2284	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TissueRapid	Setup.exe
File opened for modification	C:\Windows\AviationConsolidated	Setup.exe
File opened for modification	C:\Windows\UnauthorizedRepeat	Setup.exe
File opened for modification	C:\Windows\PublishingDefeat	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jokes.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	tasklist.exe
Token: SeDebugPrivilege	2284	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4708	Jokes.com
4708	Jokes.com
4708	Jokes.com

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 232	4080	Setup.exe	83
PID 4080 wrote to memory of 232	4080	Setup.exe	83
PID 4080 wrote to memory of 232	4080	Setup.exe	83
PID 232 wrote to memory of 3716	232	cmd.exe	86
PID 232 wrote to memory of 3716	232	cmd.exe	86
PID 232 wrote to memory of 3716	232	cmd.exe	86
PID 232 wrote to memory of 3456	232	cmd.exe	87
PID 232 wrote to memory of 3456	232	cmd.exe	87
PID 232 wrote to memory of 3456	232	cmd.exe	87
PID 232 wrote to memory of 2284	232	cmd.exe	90
PID 232 wrote to memory of 2284	232	cmd.exe	90
PID 232 wrote to memory of 2284	232	cmd.exe	90
PID 232 wrote to memory of 2616	232	cmd.exe	91
PID 232 wrote to memory of 2616	232	cmd.exe	91
PID 232 wrote to memory of 2616	232	cmd.exe	91
PID 232 wrote to memory of 2416	232	cmd.exe	92
PID 232 wrote to memory of 2416	232	cmd.exe	92
PID 232 wrote to memory of 2416	232	cmd.exe	92
PID 232 wrote to memory of 4484	232	cmd.exe	93
PID 232 wrote to memory of 4484	232	cmd.exe	93
PID 232 wrote to memory of 4484	232	cmd.exe	93
PID 232 wrote to memory of 4708	232	cmd.exe	94
PID 232 wrote to memory of 4708	232	cmd.exe	94
PID 232 wrote to memory of 4708	232	cmd.exe	94
PID 232 wrote to memory of 2012	232	cmd.exe	95
PID 232 wrote to memory of 2012	232	cmd.exe	95
PID 232 wrote to memory of 2012	232	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Elected Elected.cmd & Elected.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3456
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 695898
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Wound + ..\Vcr + ..\Providence + ..\Coding + ..\University + ..\Ant + ..\Tales o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\695898\Jokes.com
    Jokes.com o
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4708
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\695898\o

Filesize
490KB

MD5
0bdff5828f9797569631fdb894ecfd67

SHA1
ec7a8c1aa7a243940ff9797db19e3cafd81948eb

SHA256
b7b4de9b5360b58c3599ce50c354b42ae5ccc1f520637c1c5766e58d7ec67cb1

SHA512
13b747b55f23364649f5f19b78ef1f668e72d4b3c309b84a26498068e6075ecd7d140e422351265473a7f9f68c7cf824f1c21c164134a4f8d9032dc04274a574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ant

Filesize
58KB

MD5
5619474eaa96b03b79710be53a12c04f

SHA1
67b4174371926166a208987b71d00a6afe9be70d

SHA256
cbf79dbc029fd3a4a3a839f970a1d3cf8b2f143c6ecdde08140d5eba0748f749

SHA512
befe7f0d4373efd174c914c476c9823264b0baa6adce0fb582986b65b36aa10e4da3147332e74fddc78334e107a995a76ae959b5018285a193d53f0c574c96c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coding

Filesize
97KB

MD5
30f8bd35607d3bd879831fa4a38e063a

SHA1
fadcdcb78f515ae55cdb5f1f55600c440a19b37d

SHA256
e7cab8805e8d19ba0fa78aaf501b71c1e09d9be48be6b5a86ba51c2a11c75fcc

SHA512
c6126abc8ddb53477465b3024afa06fcd62b015db3460a95d43c6b1983819ca76f29622e7dc8db3b5c142ea779d2f992c0355008e3bcd168258c79223915108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elected

Filesize
21KB

MD5
151f979d7acaab3692d899ad138d362d

SHA1
d24f905e0773b87569991133a2d54e3d1f016bc5

SHA256
4de7878fc57642ee3357c822b6da3aa421ab3061d9c27edade68b53630dbf5d7

SHA512
dbf12ae3c200dd9071d6a282efc3f7028181df51150241d98e8893119b91ce8ced8edcba33865e7d88f9a3b3338d29cc12abad9e8f4397302fbec2a64b6f0332

Download Submit
C:\Users\Admin\AppData\Local\Temp\Providence

Filesize
75KB

MD5
2254d158461da69365b4d6c762b52ee2

SHA1
1401f7edace1abe2f03908d69834bd460fe30f7e

SHA256
c76a10af818dcd77a55f6d0d3dcfa7ca51e9d4bffaacf22acaa7a685d0938ae0

SHA512
4a350540b42610dbbf659315b7bdb3961b234446fa44af3a1afb45fe143c09ff7710ab3d1c5fe1babe381c6856d1be7f3e94d1e4033f391d07943ededb65829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tales

Filesize
28KB

MD5
4111323ab8c8308f9e9189ddc07cfe34

SHA1
02b1fd1525cbbc36b5531991fb543884d83c544d

SHA256
fd801931aacaa811193d582a32a43ee938280c901a51a32e1bc72c473c2c551e

SHA512
8d9529e7bf3a655bd377e65cb31d847b7ee199497347772ba5376e31ae4362b7ed07c65425554d054c9682d790ea813f8bfdd6559edeaf0dce4507422f6701fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\University

Filesize
87KB

MD5
f3a7760b8c382a1ec787d6acfe510937

SHA1
c2cb3c7c680a5481761dc4213d20292131fca4ce

SHA256
ef84d5cdeac7fd75ff72e6aaf75f9bd3b7e7d1aead4490a3563f585878cfe2e7

SHA512
102999aeec06e11da6a01035a3da5a841ef305713df41dc0bd6f4e951942cba5871d0f8ed9151209c558818b260cd742c61cd39f1d77a534fc4b3f0f9dd24bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcr

Filesize
80KB

MD5
67c2f076592a7cd9560dbc1c12195bd4

SHA1
8fe621351ca14c069f5685766c6c14d31a6cebb7

SHA256
648a400aa1b61356b6f90b47f448262dd809452c35d29a8f4ec4610486267e04

SHA512
6328b325089bb671d801b2f499b61df423e06e2e1f791085e4aa13db9aedef1cf4f1f57ee06dd88c2d21a542d8440609b98a9104307343c38012c5ddce973754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wound

Filesize
65KB

MD5
0bc6cce97447361247622129fbd8b2d0

SHA1
55293bb44be7ef5fc3d0042c83908e17ce722e2a

SHA256
96bc10c9c0275706636843dd58c7a72232ccb902462646a8b76c6ca8be496799

SHA512
2fb7b192e377c9bbb04fe70992b12e557fb5a755bdbc6a96a97139ec7a7a6cfa33ffce074a5ca3f9be18898dbca699a792c0d858a4e2512fb96c4b91e1c9ea32

Download Submit
memory/4708-508-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download
memory/4708-510-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download
memory/4708-513-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download
memory/4708-512-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download
memory/4708-511-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download
memory/4708-509-0x0000000004280000-0x00000000042DB000-memory.dmp

Filesize
364KB

Download